CVE-2026-21438

EPSS 0.02%
Veröffentlicht 12.02.2026 18:25:34
Zuletzt bearbeitet 19.02.2026 22:50:30
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Quic-go ≫ Webtransport-go SwPlatformgo Version < 0.10.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.04

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-401 Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

CWE-459 Incomplete Cleanup

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0

Product

Release Notes

https://github.com/quic-go/webtransport-go/security/advisories/GHSA-2f2x-8mwp-p2gc

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-21438

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-21438

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-21438

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-21438